Friday, April 29, 2011

About EnableSuToRoot registry key for SUA

User Account Control is enabled by default. When User Account Control is enabled, any application or task that impersonates another user who is a member of the Administrators group (by using the su, cron, or login utilities, setuid, any of the setuid or exec_asuser family of calls, as examples) always runs in the security context of a standard user account.
Note
When an application impersonates a standard user, it will have the complete security context of a standard user. For more information about standard users, see the Microsoft Web site topic "Developer Best Practices and Guidelines for Applications in a Least Privileged Environment," Introduction section (http://go.microsoft.com/fwlink/?LinkId=70243).
With default settings, an application cannot impersonate the root user. You can control this behavior by modifying the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SUA\EnableSuToRoot.



How to modify the EnableSuToRoot registry key



Important
The Administrator account is disabled by default in Windows 7 and Windows Server 2008 R2 to help protect computers and data from access by unauthorized or malicious users, and it must be enabled for users to impersonate the root user or Administrator. Because the Administrator account must first be enabled to change the setting of the EnableSuToRoot registry key, the procedure to complete this task immediately follows. You must be a member of the Administrators group on the local computer to complete the following procedure.

To enable the Administrator account

  1. Click Start, right-click Computer, and then click Manage.
  2. In the hierarchy pane of the Computer Management snap-in, open Local Users and Groups.
  3. Select Users.
  4. In the results pane, right-click Administrator, and then click Properties.
  5. Clear the check box for the Account is disabled option.
  6. Click OK.
  7. Close the Properties window, and then close the Computer Management snap-in.
Perform the following steps to change the setting of the EnableSuToRoot registry key after you install Subsystem for UNIX-based Applications.

To change the setting of the EnableSuToRoot registry key

  1. Click Start, click in the Start Search text box, and type regedit to open Registry Editor.
  2. In the hierarchy pane, open HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SUA.
  3. In the results pane, double-click EnableSuToRoot.
  4. In the Value data box, enter 0 to disallow impersonation of the root user, or 1 to allow it.
    The default setting is 0.
  5. Click OK.
  6. Close Registry Editor; if prompted, save your changes.

When the value of this key is set to 0 (the default setting), impersonation of the root user is disallowed. When the value is set to 1, impersonation of the root user is allowed. When an application impersonates the root user or Administrator account, the application has the administrative security context of the root (Administrator) user.

Setuid and Administrative Privilege


If users who are members of the Administrators group attempt to mark applications with the setuid attribute, they would succeed only if they are allowed to run applications and perform tasks in an administrative security context.
The following is an example of how to mark the binary file /bin/regpwd, which is typically marked with the setuid attribute:
  1. Open a Korn shell (ksh) with elevated privilege as described in this topic.

  2. Type chmod +s /bin/regpwd and then press ENTER.

  3. Type exit to close the ksh session.

Modify the number of connections

Better to modify in order to allow other connection and virtualization of other machines as:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\Connections\MaxNumFilters

No comments:

HTMLCode

HTMLCode Content